Skip to content

Instantly share code, notes, and snippets.

@jwaresoft

jwaresoft/encrypted_raid_notes.md

Last active November 14, 2024 21:04
Show Gist options
  • Save jwaresoft/bb4597e41a4edaf84d0715fd62e402ac to your computer and use it in GitHub Desktop.
Save jwaresoft/bb4597e41a4edaf84d0715fd62e402ac to your computer and use it in GitHub Desktop.
Download ZIP
Encrypted RAID Notes And Instructions
Raw
encrypted_raid_notes.md

Encrypted RAID

Instructions for creating, mounting, and fighting with encrypted RAID on linux. I wrote these for myself and figured I would share here in the event someone else is trying to do this.

Setting Up A New Encrypted Raid

Setting up a new encrypted RAID.

Note: It has been a while since I did this on Ubuntu/Debian as I have migrated to Fedora linux. These instructions worked for me the last time I did this, and I was able to successfully move the RAID as is to Fedora Server. That being said, hopefully it works for you.

Step 0: Installing mdadm & cryptsetup:

On Fedora

sudo dnf install mdadm cryptsetup-libs

On Debian / Ubuntu

sudo apt-get update && sudo apt-get install mdadm cryptsetup

Step 1: Find which disks we will be using:

lsblk

Make note which drives you will be using, for me it was /dev/sdd and /dev/sde

Step 2: Creating the raid device:

Decide which raid type you would like to use if you have not already. The example below is for a 2 device RAID 1, but you would just change the commands according to devices, number of devices, type of raid, etc:

sudo mdadm --create /dev/<md420> --chunk=4 --level=1 --raid-devices=2 /dev/sdd /dev/sde  #can specify md number

Generic Version of this Command:

sudo mdadm --create /dev/<md420> --chunk=4 --level=<raid type> --raid-devices=<number of devices> <device list, eg. /dev/sdb /dev/sdc etc...>

In my case I used a chunk size of 4 bytes, raid level 1(mirroring), but you can research further if this works for you.

Step 3: Creating the cryptFS

Once the RAID is done setting itself up (make take a while), we will create an encrypted luks partition.

sudo cryptsetup luksFormat /dev/md0
sudo cryptsetup luksOpen /dev/md0 <cryptodrivename> # name can be whatever you want

Step 4: Creating the filesystem within your LUKS disk:

Now you want to create the actual filesystem we will write to. I went with ext4, but again, you can do what you wish here.

sudo mkfs.ext4 /dev/mapper/<cryptodrivename>

Step 5: Mount This Thing

Now all that's left is to mount the newly created disk. Create a mount point and mount the partition.

sudo mkdir /media/<mountpoint>
sudo mount /dev/mapper/<cryptodrivename> /media/<mountpoint>

Doing this from a fresh boot:

Opening and mounting:

sudo cryptsetup luksOpen /dev/md0 <cryptodrivename>
sudo mount /dev/mapper/<cryptodrivename> /media/<mountpoint>

Unmounting and closing:

sudo umount /media/<mountpoint>
sudo cryptsetup luksClose <cryptodrivename>

Mounting At Boot

You probably just want this thing to be permanently available, and not to just manually mount it with a script or commands or whatever each time you need it.

Step 0: Make sure the RAID is registered in mdadm.conf

To get the raid details,

sudo mdadm --detail --scan

Copy it to mdadm.conf

Fedora

sudo mdadm --detail --scan | sudo tee -a /etc/mdadm.conf

Debian /Ubuntu

sudo mdadm --detail --scan | sudo tee -a /etc/mdadm/mdadm.conf

Step 1: Create a random keyfile. This will be the computer's way of unlocking it without user intervention.

sudo dd if=/dev/urandom of=/root/<RAIDkey> bs=1024 count=4

Step 2: Make it root readable only

sudo chmod 0400 /root/<RAIDkey>

Step 3: Add key as a passphrase to raid

sudo cryptsetup luksAddKey /dev/<md420> /root/<RAIDkey>

Step 4: Get the UUID(s) of the device and add them to crypttab and fstab

We will need the UUID to do this right.

lsblk -o name,uuid

You should get an output like this

sda                    
├─sda1                 F676-3A55
├─sda2                 15ff2795-056c-4e00-8dfb-030420214955
└─sda3                 c566215e-b5eb-448e-ab48-1b085ea606f1
  └─sda3_crypt         hapmsg-YdYY-IcGV-gYUa-XEI5-WBQx-OsVtXT
    ├─vgkubuntu-root   3c27a553-7f55-45ca-ae73-b80fd4cea48f
    └─vgkubuntu-swap_1 bbdcdb9d-a50c-43ed-ab30-20ea668b4e65
sdd                    cc9f17b2-eed2-4ba3-d63d-ed2e017fd02b 
└─md420                4687a633-89c6-46e2-b2c6-c73f0ed629bf # <-- you want this one
  └─<raidname>         eb53d96c-3f55-4462-84b8-a5bec22b68ad
sde                    cc9f17b2-eed2-4ba3-d63d-ed2e017fd02b 
└─md420                4687a633-89c6-46e2-b2c6-c73f0ed629bf # <-- you want this one
  └─<raidname>         eb53d96c-3f55-4462-84b8-a5bec22b68ad # <-- use this if you are also mounting in fstab via uuid not mapper

Add the following to crypttab using the values you obtained in the previous steps.

/etc/crypttab

<mapper name> UUID=cc9f17b2-eed2-4ba3-d63d-ed2e017fd02b /root/<RAIDkey> luks

now use the mapper or uuid to add it to fstab

/etc/fstab

UUID=eb53d96c-3f55-4462-84b8-a5bec22b68ad      /media/<mountpoint>               ext4    defaults,errors

After changing the /etc/crypttab file, you have to rebuild initramfs:

# sudo update-initramfs -u -k all

Now Reboot and see if it worked!

Link To Original Instructions

Troubleshooting: Reassemling, Scanning, etc

To get the raid details,

sudo mdadm --detail --scan

Reassembling the Raid

If you need to reassemble the raid, do the following, replacing dev letters accordingly with your devices (/dev/sdd, /dev/sde, etc). You can use the following to find the devices of the bum RAID which is not working.

lsblk

Now with the correct devices, reassemble the raid with,

sudo mdadm --assemble --run --force --update=resync /dev/<md420> /dev/sdd /dev/sde

Other Helpful References On This Subject

Some resources I used to cobble this together.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment